Researchers Lift Lid on Government-Distributed Cyber-Spy Trojans

After pro-democracy activists in Bahrain were hit by email attacks that would have installed spyware, a spreading investigation reveals more details about corporate-made Trojans sold to governments.

A recent study of cyber-spying malware discovered by Middle Eastern pro-democracy activists has found that it is a commercially developed Trojan apparently purchased and distributed by government authorities to keep watch on dissident citizens.

Late in July, pro-democracy activists, security researchers and journalists from Bloomberg News collaborated to uncover details about a mysterious piece of malware known as FinFisher, which proved to be spyware made by U.K. company Gamma International and sold to government clients.

Working from executables encountered by pro-democracy activists, computer scientists and researchers at the University of Toronto's Citizen Lab reverse engineered part of the software and found telltales signs that linked it to the U.K. firm.

Others took up the investigations and discovered that the use of FinFisher went far beyond spying on Bahraini activists. On Aug. 8, a researcher from security firm Rapid7 published his own analysis of the software, finding that servers in 10 countries, including the United States, Australia and Indonesia, showed signs of hosting the software needed to manage systems compromised with the espionage Trojan.

Rapid7 security researcher Claudio Guarnieri used a system created by HD Moore, the firm's chief security officer, to call up historical scans of large swaths of the Internet and search them. By searching on a specific string in the servers responses, Guarnieri found 11 additional servers in 10 countries that showed signs of being central servers for espionage networks.

"We basically got lucky, because running that project, it was collecting the same data that we needed to fingerprint the servers," said Guarnieri. "We just looked for the pattern that we identified."

Rapid7 found servers in Australia, the Czech Republic, Estonia, Ethiopia, Indonesia, Latvia, Mongolia, Qatar, the United Arab Emirates, and the United States. In its analysis, the company emphasized that the location of the server does not mean that particular nation was involved. Almost all the servers were located on the networks of commercial Internet hosting providers.

The analysis would not have been possible except for two factors: As part of an ongoing project, Rapid 7 has begun scanning the Internet and the developers of FinFisher made a significant error: When a server running the command-and-control software encountered an unauthorized request, it would send back the unique response--"Hallo Steffi"--to the source of the request.

Since Rapid7's scanning system, known as Critical.io, recorded the responses to its port scans, it contained a historical record of the existence of the FinFisher servers on the Internet, even after the computers were patched to eliminate the unique string.